Getting Ubuntu password from /etc/shadow

Posted on Updated on


Ubuntu / linux stores password in /etc/shadow file not in encrypted form but by hashing it.

Passwords on a linux system are not encrypted, they are hashed which is a huge difference.

It is not possible to reverse a hash function by definition.

Run following commands to get familiar with password security in Ubunutu

 cd /etc

sudo cat passwd

this command will print content of passwd file

bhushan:  x  :   1000 : 1000 : bhushan,,,:/home/bhushan:/bin/bash

1                 :2:        3:        4:                  5                      : 6:                        7:

  1. Username: It is used when user logs in. It should be between 1 and 32 characters in length.
  2. Password: An x character indicates that encrypted password is stored in /etc/shadow file.
  3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are reserved by system for administrative and system accounts/groups.
  4. Group ID (GID): The primary group ID (stored in /etc/group file)
  5. User ID Info: The comment field. It allow you to add extra information about the users such as user’s full name, phone number etc. This field use by finger command.
  6. Home directory: The absolute path to the directory the user will be in when they log in. If this directory does not exists then users directory becomes /
  7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell. Please note that it does not have to be a shell.

This is user information

I want to know password of Bhushan

lets try this command

bhushan@bhushan-desktop:/etc$ cat shadow|grep “bhushan”

cat: shadow: Permission denied

what happened….i can’t run this command without root permission.

bhushan@bhushan-desktop:/etc$ sudo cat shadow|grep “bhushan”

bhushan:

$6$M0jBWc8n$iPADKsrAk67ONNeyfRj56GtAtnkwJ2uulTQEXtc8McCD/aZSB1BgJXgrqBBdyjkeUsP7yIQIjCQtDu.4I.kf91:15632:0:99999:7:::

/etc/shadow file fields

  1. User name : It is your login name
  2. Password: It your encrypted password. The password should be minimum 6-8 characters long including special characters/digits
  3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last changed
  4. Minimum: The minimum number of days required between password changes i.e. the number of days left before the user is allowed to change his/her password
  5. Maximum: The maximum number of days the password is valid (after that user is forced to change his/her password)
  6. Warn : The number of days before password is to expire that user is warned that his/her password must be changed
  7. Inactive : The number of days after password expires that account is disabled
  8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying when the login may no longer be used

The password hash today comes in three parts, separated by dollar signs ($):

$6$M0jBWc8n$iPADKsrAk67ONNeyfRj56GtAtnkwJ2uulTQEXtc8McCD/aZSB1BgJXgrqBBdyjkeUsP7yIQIjCQtDu.4I.kf91

Here:  $ ID $ SALT $ HASH

  • Id. This identifies the encryption hash method used. A value of 1 denotes MD5; 2 or 2a is Blowfish; 3 is NT Hash; 5 is SHA-256; 6 is SHA-512.
  • Salt. This is used by the encryption algorithms, and could be up to 16 characters.
  • Hash. The actual “password” (or hash) is last. MD5 uses 22 characters, SHA-256 uses 43, and SHA-512 uses 86.

Generating sha-512 hash of a passwod using mkpasswd command

Here my salt is M0jBWc8n

Try this command

mkpasswd -m sha-512 “iwontdisplay”  M0jBWc8n

Output is:

bhushan@bhushan-desktop:~$ mkpasswd -m sha-512 “iwontdisplay” M0jBWc8n

$6$M0jBWc8n$iPADKsrAk67ONNeyfRj56GtAtnkwJ2uulTQEXtc8McCD/aZSB1BgJXgrqBBdyjkeUsP7yIQIjCQtDu.4I.kf91

and this is my shadow file password

$6$M0jBWc8n$iPADKsrAk67ONNeyfRj56GtAtnkwJ2uulTQEXtc8McCD/aZSB1BgJXgrqBBdyjkeUsP7yIQIjCQtDu.4I.kf91

is it same  ??? yes

so my password is iwontdisplay

If you are not getting correct password using this trial and error  go for this simpler and faster way.

About these ads

One thought on “Getting Ubuntu password from /etc/shadow

    Sid said:
    January 30, 2014 at 1:20 pm

    Awesome! Thanks for the post :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s